firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PCI DSS & Firewalls (Chris Blask)
----------------------------------------------------------------------
Message: 1
Date: Mon, 6 Apr 2009 11:45:31 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <656084.24140.qm@web33802.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Hi Jim,
Jim Seymour <jseymour@linxnet.com>, Monday, April 6, 2009 9:25:55 AM
>Bill McGee <bam@cisco.com> wrote:
.d.
> It'd be a damn sight nicer than living in the world in which we
> currently find ourselves, where, due to vendor irresponsibility and
> end-user cluelessness (encouraged by said vendors, IMO), the concept of
> "network security" has become a joke.
Responsibility and cluelessness are not things that I will go out of my way to let anyone off for, but the subtext "encouraged by said vendors, IMO" I have to poke a stick at. Maybe there rally are some evil crafty cunning and skilled vendors out there who are manipulating all of this over Beluga caviar, Havana cigars, monocoles and really evil laughs, but my experience working at these vendors is that any vendor culpability is much more rooted in the standard SNAFU background radiation that underlies human endeavor. To achieve the foundation for endemicly secure design, engineering, impelementation and operation of one (1) Global Internet (with "Attached Private Networks" option!) is really really really hard and would require a great deal of effort and resource which has (a) not been spent, (b) won't be spent for a lot of boringly pedantic reasons and (c) would probably be SNAFUed by reality (Bobby Shaftoe would put it more colorfully) and not work,
anyway.
.d.
> What Marcus is promoting isn't "wide-eyed idealism," it's reality.
> That reality being there's no such thing as "kind of secure." It's either
> secure or it's not. You, and those who believe, or purport to
> believe, as you do are promoting "good enough." Well, half-way
> measures are *not* "good enough," *never* have been "good enough" and
> never *will* be "good enough."
I have to disagree. There is very much a "kind of secure" and there is by no means any such thing as "secure". "Security" is a mirage - our Fiddlers' Green - to be approached indefinitely but never arrived at. The question is never "how would you like your system secured from all potential intruders?" but rather "how much resource are you willing to spend increasing your system's security from where it is at the moment?" Your network is secure as (for example) your ability to resist Van Eck Phreaking of your users' monitors, keep them from coming in with pinhole cameras in their shirts to tape everything on their screens, and lock down their brains.
As always, I am not saying that it is not worthwhile and effective to fight the good fight nor that any of us should take our responsiblities lightly - it is and we should. But this is the same old purist vs. pragmatist argument and nothing has ever changed to make me think there is any pure solution to be had. Even the very best Underground Black-Ops Government Datacenter will only incrementally creep closer to being all-caps "secure" and the rest of us will continue to live in a world that is somewhere short of that.
-chris
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 12
************************************************
No comments:
Post a Comment